Newsletter #435 Preview: The Night Owl Examines the Great Mac Security Fraud
March 30th, 2008If you take those published reports at face value, the vaunted security of the Mac OS is just an illusion. During the annual Pwn2Own hacking contest this past week, someone easily exploited a supposedly unknown vulnerability in Apple’s Safari on a MacBook Air within a mere two minutes, earning a ten thousand dollar paycheck for his efforts.
Now, because of a nondisclosure agreement, we don’t know just what vulnerability was present in Safari that was handled so easily, but it sounds to me like a put up job. If you believe the claim, the security flaw was so blatant that it was easily discovered, and that’s extremely unlikely.
Consider that, on the first day of the contest, nobody could attack any of the test computers, running the Mac OS, Windows Vista, and Ubuntu Linux, remotely. Thus the original $20,000 prize went unclaimed. On day number two, the terms were relaxed, so the participants could actually work directly on the computers to locate and exploit possible vulnerabilities.
Now that severely lessens the seriousness of the flaws, because it means that you are granted direct access to the computer you’re going to infect. That severely lessens the danger. No direct access, no exploit, at least under the terms of this contest.
Although he’s not talking, I really doubt that security researcher Charlie Miller had a sudden flash of inspiration from upon high to access a hostile site in Safari and win his ten grand. No way could that possibly happen in a mere two minutes except by a divine or paranormal event. Instead, it’s clear to me that he had previously investigated possible flaws in Mac OS X and had discovered a security leak he could exploit on the spot when the time arrived.
So call it a good sense of timing.
Story continued in this week’s Tech Night Owl Newsletter.
Print This Post
As I understand the article, it was a vulnerability that was already known to him. Since they weren’t able to penetrate any of the systems on the first day, they were then able to direct the operator of the system to certain websites (as I also understand the article, they never had “direct access” (i.e. hands on the device), just access to the systems over a closed network). Since he already knew about the Safari vulnerability, he had a site already setup to exploit it. That’s how he was able to penetrate the system so quickly.
“Thus the original $20,000 price went unclaimed.”
price,
Prize?
But doesn’t Vista have many known vulnerabilities also? Why couldn’t they exploit those as quickly as the Mac?
Because that won’t get you front page headlines 🙂
You know that Windows can be exploited. They’ve been there, done that.
Peace,
Gene
Part of the contest rules required it to be a new, non-public vulnerability. So, no using old vulnerabilities on Windows. The contest did not require that you develop the hack on the spot though.
And how much lead time did they have to prepare to unearth that “non-public vulnerability”?
Peace,
Gene
If a x-over cable was used (and I believe on the 2nd day it was) than the “test” was a poor example of a security breach.
I say hack it under real world conditions or shut up. Just because I’m an ace at flight simulator doesn’t mean I’m ready to fly for a commercial airliner.